public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Alan Reiner <etotheipi@gmail.com>
To: bitcoin-development@lists.sourceforge.net
Subject: Re: [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol)
Date: Sat, 08 Mar 2014 03:10:40 -0500	[thread overview]
Message-ID: <531AD080.40501@gmail.com> (raw)
In-Reply-To: <CA+su7OUMgeWgkMFAmmMEpW3eN=cvU47MKt51idDrmCWEiCb+VQ@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 1504 bytes --]

On 03/08/2014 01:55 AM, Edmund Edgar wrote:
> On 4 March 2014 14:07, Odinn Cyberguerrilla
> <odinn.cyberguerrilla@riseup.net
> <mailto:odinn.cyberguerrilla@riseup.net>> wrote:
>
>     Nothing is safe.
>
>
> This is true. To rephrase, imagine I gave you an ECC public key
> <ed_pub>, you gave me back a public key <odinn_pub> of your own
> devising, then I paid some money to the address resulting from
> add_pubkeys(<ed_pub>,<odinn_pub>) [1]. Can anyone either:
>
> a) Think of a way that Odinn could make an <odinn_pub> such that they
> could spend the resulting money without having <ed_priv>.
> b) Opine, somewhat knowledgeably, that this probably wouldn't be an
> easy thing to do, and they wouldn't be alarmed to see people running
> software that did this kind of thing.
>
> [1] https://github.com/vbuterin/pybitcointools/blob/master/pybitcointools/main.py#L173

Consider that I see your public key <a_pub> before I create and send you
my public key <b_pub>.

I create a new keypair, <c_pub> with <c_priv> which I know (it can be
any arbitrary key pair).  But I don't give you <c_pub>, I give you 
<b_pub> = <c_pub> minus <a_pub> (which I can do because I've seen
<a_pub> before doing this). 

Sure, I don't know the private key for <b_pub>, but it doesn't matter...
because what

<b_pub> + <a_pub> = <c_pub> (mine)

You have no way to detect this condition, because you don't know what
c_pub/c_priv I created, so you can only detect this after it's too late
(after I abuse the private key)

-Alan

[-- Attachment #2: Type: text/html, Size: 3069 bytes --]

  reply	other threads:[~2014-03-08  8:10 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-03-08  6:55 [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol) Edmund Edgar
2014-03-08  8:10 ` Alan Reiner [this message]
2014-03-08  8:51   ` Edmund Edgar
2014-03-08 10:37     ` Joel Kaartinen
2014-03-08 17:41       ` Adam Back
2014-03-08 18:15         ` Natanael
2014-03-08 23:13       ` Alan Reiner
2014-03-08 20:30     ` Alan Reiner
  -- strict thread matches above, loose matches on Subject: below --
2014-03-04  2:59 Edmund Edgar
2014-03-04  5:07 ` Odinn Cyberguerrilla

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=531AD080.40501@gmail.com \
    --to=etotheipi@gmail.com \
    --cc=bitcoin-development@lists.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox